For many people, the metaverse is confusing and it must be recognized that virtual reality seems to be taken from a science fiction book, but every day great steps are taken to advance towards a deeper digital construction. But… what effect could this advance have on our personal and private data?
Currently, there are multiple metaverse proposals, from the most popular Meta to Microsoft’s, going through all those linked to what we have been understanding as “video games”, such as Fortnite or World of Warcraft. (You can see here an extensive analysis of the current situation of these virtual worlds). With these platforms, immersive interactions are sought in virtual spaces, where users can access a social experience, a digital identity and ownership of assets with an exchange market.
A very nice concept: a world where all users live in harmony. But the reality is that with great power comes great responsibility, and if this responsibility is not handled wisely, we can end up like the passengers on the space station in the movie Wall-E, in a completely machine-controlled environment.
User privacy: the biggest concern of the AEPD
Through a publication on its blog, the Spanish Agency for Data Protection (AEPD) has ruled for the first time on the privacy challenges that the new digital dimensions may present, alleging that they allow “knowing and profiling the individual at not previously known in social networks”
In a social network you can get various personal information of its users, but always based on an uploaded photo, the comments they make or their behavior on the web. The algorithms of the platforms in charge of organizing and displaying content related to their preferences to users learn from these habits every day.
Now, with the metaverse, things are magnified, because you only have to imagine the potential that these described algorithms can have and the amount of data that a single user can generate in a virtual world that wants to be a faithful representation of the real world. LThe information is not based only on photos or comments, but on the way of positioning, body language and the approach to other avatars.
In its article, the AEPD indicates, “from the point of view of privacy, the use of the metaverse can be very intrusive, since the set of data that is processed in this environment increases exponentially. Any virtual environment is by design fully datafied and allows a broader spectrum of information relating to human activities to be processed”.
Precisely these human activities indicated by the entity, are those that can involve “new categories of data with greater granularity and precision”. And it is that to enter the metaverse it is not necessary to connect through a mobile phone or a computer, it implies using virtual reality glasses (VR) or any wearable device, with which more exact biometric information can be collected: “The glasses of VR extract information from the variations of the iris and the controls that interface with the metaverse reveal the postural changes, which allows the emotional response to be analysed”, explains the AEPD.
“The analysis of the relative position of avatars in a virtual world allows proxemic analysis automatically, that is, the study of the organization of space in non-verbal linguistic communication. The times and the form of reaction allow biomechanical study of the individual and so on”, continues the AEPD
Within the metaverse, users can have virtual social experiences like those lived in the real world, so they can face risks to their privacy, such as mass surveillance, discrimination, loss of autonomy, fraud or impersonation of identity. You can even be a victim of the theft of your personal data if wearable devices are compromised, which could cause real physical risks.
But the Agency’s concern is not limited to users, but rather to the possibility that these technological developments in the metaverse want to be used to “replace the regulation and governance mechanisms of the real world with automatically executed rules”, as has been the case. In the case of some cryptocurrencies, which, as they are not regulated by any entity, can generate large losses of money.
The AEPD statement even reserves a space for the recent controversies around the crypto world: “An important aspect to take into account is the development of metaverses on technologies that seek to replace real-world regulation and governance mechanisms with automatically executed rules, as has already happened in certain cryptocurrencies on blockchain. That is, the possibility of displacing the human in the process of applying the rule and the law, and replacing it with algorithms that make decisions in a virtual environment.
GDPR won’t be enough to manage the metaverse
In the publication, the AEPD explains that the laws of the metaverse will have to be contrasted not only with the General Data Protection Regulation (RGPD), but also with the new regulatory proposals that are being prepared in the European Union such as the Digital Service Act, the Data Act, the Digital Markets Act, the Data Governance Act, the proposed AI Regulation, among others.
Finally, the agency states that, for now, massive data processing must be as established by the RGPD, so it is necessary to take into account: data minimization mechanisms for wearable devices, governance mechanisms and standards. transparent, audits of automated processes to prevent abuse, bias and discrimination, proper management of devices to protect transmitted and stored data, data protection impact assessments, as well as “specific privacy guarantees by design and by default that are may apply, for example, to preserve the privacy of avatars and their digital footprint in the metaverse.”
Likewise, the right of users to cancel and delete is required to disappear from the metaverse when they deem it necessary, security systems so that these worlds always remain available and put minors as the central axis when defining the measures and guarantees of these new digital spaces.
Stay informed of the most relevant news on our Telegram channel